homepage Welcome to WebmasterWorld Guest from 23.20.34.25
register, free tools, login, search, subscribe, help, library, announcements, recent posts, open posts,
Accredited PayPal World Seller

Home / Forums Index / Search Engines / Search Engine Spider and User Agent Identification
Forum Library, Charter, Moderators: Ocean10000 & incrediBILL

Search Engine Spider and User Agent Identification Forum

    
Mysterious User Agent is random string , AQJPTSIP, e.g.
Anybody know what kind of masking agent is being used and why?
nonprof webguy




msg:403557
 8:01 pm on May 9, 2002 (gmt 0)

In my logs there are a very small number of hits that record the UA as a random string of capital letters. UOPKUXXBTGH or KRCNONPATKW or something like that. Just 7 of these since 1/1/02, in fact.

The other strange thing is that except for two isolated requests of my default page, they are all hits for one particular page deep in my site; 5 times on separate days over a 12-day period. They didn't request any of the page's graphics. There is no referer.

The IPs are all from various ISPs in the US and Canada. The latest, which appeared once, is a Spanish telephone company

There's one IP with the the random string UA -- the last appearance, in fact, on April 17th -- that had appeared back in February using MSIE 5.01 and looking for our old publications page, and getting served instead our new one (which my server does automatically) -- yet again, they didn't request any of the page's graphics, yet did request the page's .js file.

Has anybody seen this and know what it is?

 

littleman




msg:403558
 8:10 pm on May 9, 2002 (gmt 0)

I'd start collecting the IPs and try to figure out the similarities. Odds are good that they are proxy servers, and that this in a single program hitting you via these proxies.

hanuman




msg:403559
 7:25 am on Jun 11, 2002 (gmt 0)

Quote from:
[leekillough.com...]

"Altavista and DIIbot use suspicious request methods to test 404 errors. These robots, and perhaps others, probably use this method in order to figure out what a server's 404 response is (a kind of "profile"), and assumes that it's the same for all 404 pages.

Altavista only started doing it this year (2002). They request the page: /kjhgdkjhf1goifj2lktjelj34knfhjguih8bbj/index.htm.

However, these requests are completely innocuous to Apache, and probably do not need to be blocked. "

HTH
Hanuman

nonprof webguy




msg:403560
 6:05 pm on Jun 11, 2002 (gmt 0)

Yes, I've seen those strange hits, too. I'd tracked them back to Altavista via the IP, and so I didn't worry about them -- plus therere are so few of them. Now I know what they are! Thanks!

As for the random user agent strings I first wrote of, my best guess is that it is either part of a research project or some kind of privacy software. It's not a bandwidth problem at all, just a curious phenomenon.

threefour




msg:403561
 3:37 am on Jun 12, 2002 (gmt 0)

I also got similar random named user agents (UZWIKKDJYZNQ, HQYLPTAQR etc). Had a closer look at my logs and saw that they were only accessing certain files on my site (maybe 3 pages out of 25). The following user agents were also accessing ONLY these pages.
DSurf15a 01
PSurf15a VA
DSurf15a 71
DBrowse 1.4b
EBrowse 1.4b
PBrowse 1.4b
DSurf15a 21
These user agents have been discussed previously in the following topic
[webmasterworld.com...]

The IP Address that this requests were coming from in my case
Jan 2002
65.94.239.163 - sympatico.ca
64.164.168.5 - pacbell.net
64.168.52.18 - pacbell.net
Feb 2002
66.124.198.87- pacbell.net
Mar
66.8.238.40 - rr.com
65.29.87.208 - rr.com
64.56.136.135 - WIBAND.COM
66.69.88.150 - rr.com
68.5.42.39 -cox.net
67.114.76.186 -pacbell.net
Apr2002
68.14.25.59 -cox.net
68.5.99.89 -cox.net
68.5.32.54 -cox.net
May
207.30.161.96-sprint-hsd.net
68.4.200.220 -cox.net
68.96.97.116-cox.net
Jun
24.101.54.122 - Rogers.com
24.101.97.21- Rogers.com
66.176.44.203 - attbi.com
68.101.132.52 - cox.net

They seem to be coming from different ISPíS. My opinion is that they are spambots, trying to get email addresses?
Iím almost positive that they are related to Dsurfx and the other user agents. Can anyone else spot a relation in their logs between these?

Kev




msg:403562
 7:30 am on Jun 12, 2002 (gmt 0)

I've had all these user agents coming from similar IP's, they only EVER visit default home pages and /guestbook/ default pages. Also recorded the random upper case agent coming from the same IP's after blocking *Surf* and *Browse* agents - definitely email harvesters IMHO, I have a trap out for them to try to verify.

threefour




msg:403563
 1:55 pm on Jun 12, 2002 (gmt 0)

Yeah ive noticed that they seem to add blank entries to guestbooks. I found an example on the web at [donotenter.com...]

Kev




msg:403564
 2:04 pm on Jun 12, 2002 (gmt 0)

Never added anything to mine like that - different field names at a guess?

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Search Engines / Search Engine Spider and User Agent Identification
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About
© Webmaster World 1996-2014 all rights reserved